miscmedium

Prison Pipeline

hackthebox

Task: Exploit a Node.js app with internal Verdaccio npm registry and periodic npm update cronjob. Solution: Use SSRF via node-libcurl file:// protocol to read .npmrc auth token, add registry hostname to /etc/hosts for nginx vhost routing, publish a backdoored prisoner-db package with bumped version, wait for cronjob to install it, then trigger RCE via the backdoor.

$ ls tags/ techniques/
ssrfrcesupply_chainnpmnode-libcurlverdaccio
ssrf_file_readnpm_package_hijackingsupply_chain_attack
🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]